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1 . Applicant's response of 6/69/08 has been entered. The examiner will address 
applicant's remarks at the end of this office action. 



2. 35 U.S.C. 101 reads as follows: 

Whoever invents or discovers any new and useful process, machine, manufacture, or composition of 
matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the 
conditions and requirements of this title. 

3. Claims 1-25,27,28,30-56,58,60-74,76-89,119-122, are rejected under 35 
U.S.C. 101 because the claimed invention is directed to non-statutory subject matter. 

For claims 1,16-18,24,31,63,76, it is claimed that a "detection rating" and an 
"occurrence rating" is determined, a QFD score is calculated, and it is claimed that a 
RPN is calculated using a specific formula. Each independent claim requires that a 
"detection rating" be determined as well as an "occurrence rating". The examiner takes 
notice of the fact that it is a person that decides what values the variables of "detection 
rating", "occurrence rating", "severity rating", "occurrence rating", and "process strength 
rating" are supposed to have. The examiner also notes that the specification provides 
no guidance on how one should go about determining the correct values for these 
variables, so that the result would be useful and would be repeatable. With respect to 
the "severity" and "process strength" ratings, the QFD is calculated from the 
multiplication of these two values together, see page 16 of the instant specification. 
Because all of the variables used to calculate the QFD score are disclosed as being 
determined by people and because there is no guidance given on how to go about 
choosing the appropriate values for these variables, the result of the invention is not 
considered to be concrete (i.e. it is not capable of being repeated to arrive at a particular 
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result). The same is true for the "detection rating" and "occurrence rating". This is 
disclosed as being determined by people, see page 17 of the specification. No 
guidance is given on how to go about choosing the detection rating value or the 
occurrence rating value (other than choosing a number from 1 to 10, which is not 
sufficient guidance for all situations that the claims cover). Because of the fact that 
different people may ascribe different values to the variables used in the equation, and 
because no guidance is given on how to go about choosing the values for the "detection 
rating", "severity rating", "occurrence rating, and "process strength rating", the result is 
not guaranteed. The claim is not statutory because the result is not concrete (i.e. it is 
not capable of being repeated due to the human factor). The input is judgmental and 
will vary from person to person so the result will vary as well. The same holds true for 
claim 24 that recites the variables used to calculate a PRN, the values used in the 
equation are determined by people and are judgmental in nature; therefore, the claim 
does not have a concrete result. Additionally, because the results are not concrete, the 
examiner does not see how the result is useful in the context of 35 USC 1 01 . Because 
the calculated QFD score and PRN are only as accurate as the inputted data is 
accurate, the result is not considered to be useful. If the result can vary depending on 
the person deciding what values the variables of the equation are supposed to have, 
and no guidance is given to allow two people to reasonably know how to determine the 
correct numbers, then one cannot have any confidence in the obtained result, because 
it is only as good as the data inputted into the equation, which is determined by people 
with no standards to go by. There is no guarantee that the result obtained is even 
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accurate, because the entire equation is based on a person's perception and judgments 
as to what the "detection rating", "severity rating", and what the "process strength rating" 
is. 

4. The following is a quotation of the first paragraph of 35 U.S.C. 112: 

The specification shall contain a written description of the invention, and of the manner and process of 
making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the 
art to which it pertains, or with which it is most nearly connected, to make and use the same and shall 
set forth the best mode contemplated by the inventor of carrying out his invention. 

5. Claims 1-25,27,28,30-56,58,60-74,76-89,119-122, are rejected under 35 U.S.C. 

1 1 2, first paragraph, as failing to comply with the enablement requirement. The claim(s) 
contains subject matter which was not described in the specification in such a way as to 
enable one skilled in the art to which it pertains, or with which it is most nearly 
connected, to make and/or use the invention. 

For claims 1,31,63,76, it is claimed that a "detection rating" and an "occurrence 
rating" are determined. The examiner takes notice of the fact that it is a person that 
decides what values the variables of "detection rating" and "occurrence rating are 
supposed to have. The examiner notes that the specification provides no guidance on 
how one should go about determining the correct values for these variables, so one of 
skill in the art would be left guessing on how to do what is claimed. The "detection 
rating" is disclosed as being determined by people, see page 17 of the specification. 
This is also true of the "occurrence rating". People determine what the detection rating 
and occurrence rating are going to be, and no guidance is given on how to go about 
choosing the value for the detection rating or the occurrence rating (other than choosing 
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a number from 1 to 10, which is not sufficient guidance for all situations that the claims 
cover). With respect to the disclosure of choosing values from 1 to 1 0, how can one go 
about and figure out whether or not a value of 2 is appropriate versus a 3 or possibly a 
4? What are the values between one (remote chance) and ten (assured) supposed to 
have as far as meaning goes? What if there is a reasonable chance? Is this a 6 or a 7 
or maybe an 8? This decision will necessarily affect the end result of the method. How 
would one of skill in the art to do what is claimed? The only way they could do it is by 
guessing or randomly picking a value. This does not teach to one of skill in the art how 
to go about and use the claimed invention. How is the detection rating arrived at? 
Because this is not disclosed, and because it is disclosed that a person chooses the 
value, the claim is not considered to be enabled. There is not enough of a disclosure to 
allow one of skill in the art to make and use the claimed invention without undue 
experimentation (which is present due to the lack of guidance). 

With respect to claims 31 ,63-89, and the recitation that the server prioritizes the 
compliance risks for the business, identifies potential failure modes with causes and 
effects, and recommends risk monitoring and control mechanisms, one of skill in the art 
would not be able to make the server do what is claimed. This is because the applicant 
has disclosed that it is people that do these steps, not the server. One of skill in the art 
would not be able to figure out how to get the server to prioritize the risks because this 
depends on what the business sees as the most risky based on any known 
consequences that may happen if the risk materializes. How would one of skill in the art 
go about making the server prioritize the risks, especially for a plurality of different 
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business settings that have different compliance issues that need to be dealt with? How 
is this done? How can the server know what to do? With respect to identifying failure 
modes and the causes and effects, how is this done by the server? How does the 
server know what possible failures could occur for any kind of business process? The 
same is true for the recommendation of risk monitoring and control mechanisms, how 
does the server do this? One of skill in the art would be left guessing how to program 
the server to do what the specification disclosed is being done by people. The server is 
clearly used in the storing of data and in collecting/receiving the data, but the 
specification is full of references to the fact that it is people doing the majority of the 
actions, not the server . One of skill in the art would not be able to make the invention 
as claimed and undue experimentation would be involved to make the server to do what 
is claimed. The claims are not enabled because one of skill in the art would not be able 
to make a server that does everything that is claimed. 

For claims 32,33,35,36, the claim is not enabled. How can the server assemble 
the cross-functional team and conduct an interview with a person, etc.. As stated with 
respect to claim 31 , people are disclosed as doing these steps, not the server. People, 
not the server, also do the summary of the results. One of skill in the art would not be 
able to make the server do what is claimed and undue experimentation would be 
involved. 

For claim 34, one of skill in the art would not be able to go about and make a 
server that can create a questionnaire as claimed. How can the server know what the 
business is and what questions should be asked? The server cannot do this step, 
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people do. Applicant has not disclosed how one of skill in the art can make the server 
do what is claimed. 

For claims 39-42, how would one of skill in the art go about making the server 
prioritize the risks deemed to be important to the business, especially when that is 
disclosed as being done by people. The server is not capable of knowing what the 
business management members know and cannot map a risk model, compile 
compliance requirements and prioritize them, assign a severity rating (disclosed as 
being done by people), etc.. One of skill in the art would not be able to make the server 
do what is claimed, especially in view of the fact that the specification discloses that 
people do these steps. The same is true for claim 40, the guidance from the 
specification does not include how to make the server do what is claimed because 
people do it. For claim 41 , how does the server compile a list of requirements that 
include company policy as well as the other recited requirements? The server does not 
compile the various requirements it is an employee that compiles the requirements. 

Claims 43-56,58,60-62 are also found to be non-enabled for the same reasoning 
as set forth above. The specification teaches that people compile the list of compliance 
requirements, people prioritize the risks, people assign severity ratings and process 
strength ratings, people map the risk model and identify possible failure modes, assign 
occurrence and detection factors, define recommended actions, etc.. 

For all of claims 31-56,58,60-74,76-89, Applicant has not given enough 
disclosure to enable one of skill in the art to make a computer system that has a server 
that does everything that is claimed. One of skill in the art reading the specification 
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would be very confused because of the fact that it is disclosed that people do most of 
the recites steps, not the server. One of skill in the art would have to undergo undue 
experimentation to design an intelligent system that can basically tell management what 
to do and more or less run the company with respect to compliance issues. The way 
the claims are written it is the server doing everything, but the specification teaches that 
most of the steps are done by people. The claims are not enabled for these reasons. 

6. The following is a quotation of 35 U.S.C. 1 03(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

7. This application currently names joint inventors. In considering patentability of 
the claims under 35 U.S.C. 103(a), the examiner presumes that the subject matter of 
the various claims was commonly owned at the time any inventions covered therein 
were made absent any evidence to the contrary. Applicant is advised of the obligation 
under 37 CFR 1 .56 to point out the inventor and invention dates of each claim that was 
not commonly owned at the time a later invention was made in order for the examiner to 
consider the applicability of 35 U.S.C. 1 03(c) and potential 35 U.S.C. 1 02(e), (f) or (g) 
prior art under 35 U.S.C. 103(a). 

8. Claims 1-16,18-23,25,27,28,30-45,47-53,55,56,58,60-74,76-89,119-122 are 
rejected under 35 U.S.C. 103(a) as being unpatentable over Fetherston (20020120642) 
in view of Buddie et al. (691 2502). 
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For claims 1,3,5,6,11-16,18,19,21,23,31,39-45,47,48,51,52,63-65,68-74,76-89, 
Fetherston discloses a system and method of determining a company's compliance with 
legislative conditions and/or internal managerial conditions. Fetherston discloses a 
compliance management system that determines and identifies compliance or lack of 
compliance with certain criteria (relating to processes or products of business). The 
server is 2 and the database is 4 and/or 16. The client system is disclosed in paragraph 
28 where it is disclosed that the system can be a "stand alone" computer or may be 
connected to other components (computers) of a network. It is also stated that the 
system can be implemented on separate networked computers accessible from all or 
selected levels of an organization. Information concerning compliance is stored in the 
database as claimed. This includes a questionnaire (see figure 4, paragraphs 34 and 
38) and compliance requirements (see paragraph 12). Also see figure 4 where it is 
disclosed that one of the data entries is the "Department". Identifying the department 
also identifies the persons responsible for compliance (i.e. the employees in that 
department). In paragraph 38 it is disclosed that a user is forced to follow a process 
and pattern of data entry (by using a computer) to collect data needed to determine the 
level of compliance with the saved compliance requirements. This involves the 
displaying of the questionnaire of figure 4 on a client system (a computer) that is 
inherently based on saved compliance information relating to whatever requirements 
have to be complied with. The server 2 then receives the entered data, and saving the 
data "processes" the data. The system also prioritizes the compliance risk for a 
business by identifying the compliance risks and prioritizing them from high to low 
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based on a severity rating. Paragraph 42 discloses the identification of hazards (risks) 
that exceed a certain rating. This satisfies the claimed identification of the compliance 
risks. Assigning a numerical priority to each risk by using a "risk assessment rating" 
prioritizes the identified risks. The risk assessment rating satisfies the claimed "severity 
rating". The calculating of a risk prioritization number (RPN) for each risk is satisfied by 
the disclosure that "the user may specify the threshold value, enabling an organization 
to concentrate first on high priority hazards by specifying a high threshold, then lowering 
the threshold to concentrate on lower priority hazards". The user "calculates" or figures 
out how important each risk is at the present time (based on factors which inherently 
include current compliance with certain criteria, which is saved data stored in the 
database) to arrive at a prioritization number (threshold value) for each risk. The RPN 
is a product of (the result of) taking into account various factors relating to the 
compliance issues. Once the various risks are analyzed and management is aware of 
potential problems, implementation of controls such as training can be done. The 
database also stores information on training to be given (a control). The language 
reciting that the RPN is "directly related to current controls in place and the detection 
rating" is noted but is not a further method step and is not reciting any further structure 
that would be different from that which is disclosed by Fetherston. Clearly the RPN of 
Fetherston is related to current controls and place and the detection rating because this 
number is inherently related to this kind of information. 

Not specifically disclosed is the step of identifying failure modes with the causes 
and effects of the compliance failure modes along with the storing of this data in the 
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database (also relates to the claimed FEMA for claim 1 1 ). Also not disclosed is the act 
of identifying the current control in place and a detection rating that represents whether 
or not the current controls that are in place will detect compliance failure modes, and an 
occurrence rating that represents the likelihood of occurrence of potential compliance 
failure modes. 

Also not disclosed is the use of a dashboard to summarize actions to be taken 
and key metrics as has been added to the independent claims. This will be addressed 
after the limitations of the preceding paragraph have been addressed. 

When one receives an indication that certain legislative requirements (or internal 
company criteria) are not being met, one of ordinary skill in the art would obviously want 
to know why that is happening, so that the problem can be fixed. One of ordinary skill in 
the art would also find it desirable to have some form of controls in place to detect when 
a condition may be violated as well as having a way to assess the effectiveness of the 
current controls. It is clear that one of ordinary skill in the art would not want to violate 
any compliance requirements and would take steps to ensure proper compliance. Upon 
receiving information that indicates failure to comply with certain compliance 
requirements, one of ordinary skill in the art at the time the invention was made would 
have been motivated and found it obvious to identify the failure modes for each risk, 
with the associated causes and effects of those failure modes so that the problem can 
be corrected (by taking actions). This is how one of ordinary skill in the art would go 
about correcting the non-compliance issues identified. You must first identify the 
problem and figure out why it is happening (causes/effects) before you can arrive at a 
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solution (an action). This is something that is obvious to one of ordinary skill in the art 
based on their knowledge and based some common sense in problem solving. You 
cannot correct a problem if you do not know why it is occurring. One of ordinary skill in 
the art would have been motivated to do what is claimed. With respect to having 
current controls in place to detect the failure modes, this is something that one of 
ordinary skill in the art would also find desirable. This is because one of ordinary skill in 
the art would find it desirable to ensure that you do not violate any compliance 
requirements. To ensure that you do not violate any compliance requirements, one 
must ask the question of how can this be done? One of ordinary skill in the art would 
have clearly considered monitoring by having some form of "controls" in place, so that 
any potential issues of non-compliance can be identified before they become a real 
issue. This is something that one of ordinary skill in the art would find desirable based 
on the problem being addressed and the level of knowledge that one of ordinary skill in 
the art has. With respect to the detection rating, this is taken as just an assessment of 
the controls in place that are to detect failure modes. Clearly, if you are using controls 
to identify failure modes, you must have some confidence with the current controls and 
must have some level of confidence that they will work as intended and will identify 
failure modes. One of ordinary skill in the art would have been motivated to also assess 
the controls that are in place as far as their effectiveness is concerned. It would have 
been obvious to one of ordinary skill in the art at the time the invention was made to 
have some controls in place to detect failure modes and to also have a detection rating 
that is an assessment of the overall effectiveness of the current controls. With respect 
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to the "occurrence rating", this is nothing more a measure of the chance that a particular 
compliance failure mode will occur. This is like figuring out the odds that a certain 
situation may arise or figuring out what the percentage chance is that something will 
occur so you know what kind of situation you are dealing with, something that is well 
within the knowledge of one of ordinary skill in the art. When the chance of a particular 
failure is high, one of ordinary skill in the art would like to know that fact so that the 
chance of that failure occurring can be minimized. In the world we live in it is 
commonplace for people to express the likelihood of an occurrence happening. 
Examples include the odds of a team making the Super Bowl, or an expression of the 
chance for rain by a weather forecaster. The concept of determining an occurrence 
rating (can be odds or percentages) that represents the likelihood of something 
happening is very well known in the art. One of ordinary skill in the art that is dealing 
with compliance issues and prevention of failure modes from occurring would certainly 
want to know what the chance is of certain failure modes occurring so the situation can 
be addressed to minimize the chances of the failure occurring. This is considered to be 
obvious to one of ordinary skill in the art. Also considered to be obvious is that 
recommended actions would be implemented to reduce the risk associated with each 
compliance risk that was identified. This is the reason you are looking at the risks in the 
first place. You want to take actions that will reduce the risk for each compliance risk. 
With respect to the storing of the data in the database, the Background of the invention 
section states that some legislation requires employers "to provide an audit trail of their 
actions that is sufficiently transparent to show that they have an effective management 
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program which includes hazard identification, appropriate training and supervision of 
staff, recording details", etc.. One of ordinary skill in the art at the time the invention 
was made would have been motivated to save all of the compliance data in the 
database to ensure that there is a transparent audit trail that would be evidence of 
management doing what they are supposed to be doing as far as compliance 
monitoring goes. With respect to the limitation that recites the RPB as being a product 
of the severity rating, occurrence rating, and detection rating, the examiner takes the 
position that he RPN is a product of (the result of) taking into account various factors 
relating to the compliance issues, which as set forth in the rejection of record, includes 
issues of severity, occurrence, and detection. To take these factors into account to 
produce the RPN is obvious because the RPN is itself related to what failures may 
occur, the chance they have of occurring, and any controls in place that would detect 
failures. The independent claims have been amended to recite a "product" which is not 
being interpreted to be a mathematical product as this term can be construed as simply 
the result of these ratings being considered. 

With respect to having a dashboard that summarizes actions to be taken and key 
metrics, Buddie discloses a system and method for compliance management. Buddie 
specifically discloses that a dashboard is used to identify compliance issues and to 
collect, process, and display compliance data. See column 4, line 62 to column 5, line 8 
and column 6, line 46 to column 7, line 23. Using a dashboard for compliance 
monitoring is known and disclosed by Buddie. It would have been obvious to one of 
ordinary skill in the art at the time the invention was made to provide Fetherston with a 
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"policy dashboard" so that key data regarding compliance issues can be summarized 
and so that recommended actions can be monitored. With respect to the data that 
applicant is claiming the dashboard as summarizing; this is taken as non-functional 
descriptive material because the data is never actually used in any further steps. Data 
that is simply displayed on a screen and never used is not sufficient to be considered 
patentably distinguishing. However, in view of Buddie and the teaching of a dashboard 
for compliance monitoring, the examiner believes that the resulting structure is present 
in the 103 combination. Dashboards as claimed are not new and is something 
disclosed by Buddie. 

For claims 2,32,34,50, with respect to the limitation of defining what constitutes a 
yes answer, the examiner notes that paragraph 37 discloses that one of the formats for 
the questionnaire is a "true/false" type of format. That is the same as having yes or no 
answers. This inherently involves a previous determination as to what defines a yes 
(true) or no (false) answer so that the compliance assessment can be performed. 
People make up the forms and the questions, not the computer system. In Fetherston 
questionnaire answers are obtained, and results are complied and presented to 
management as claimed. Not disclosed is a "binary questionnaire", and the assembling 
of a cross functional team. With respect to the "binary questionnaire", the use of binary 
code is very old and well known in the art. Binary language is the basic language that 
computers use for data. It would have been obvious to one of ordinary skill in the art at 
the time the invention was made to use a "binary" questionnaire because the use of 
binary code is very old and well known in the art and is something that one of ordinary 
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skill in the art would readily be aware of. With respect to the assembling of a cross 
functional team, the examiner notes that applicant does not actually recite that the team 
does anything. One of ordinary skill in the art at the time the invention was made would 
have found it obvious to assemble a cross functional team (a team of employees) that 
would serve to help set up the entire compliance monitoring system and assist in 
determining what questions should be asked when a "true/false" format for the 
questionnaire is used. 

For claim 4, not specifically disclosed is the step of identifying failure modes with 
the causes and effects of the compliance failure modes along with the storing of this 
data in the database. When one receives an indication that certain legislative 
requirements (or internal company criteria) are not being met, one of ordinary skill in the 
art would obviously want to know why that is happening, so that the problem can be 
fixed. Upon receiving information that indicates failure to comply with certain 
compliance requirements, one of ordinary skill in the art at the time the invention was 
made would have been motivated to identify failure modes for each risk, with the 
associated causes and effects of those failure modes so that the problem can be 
corrected. This is how one of ordinary skill in the art would go about correcting the non- 
compliance issues identified. You must first identify the problem and figure out why it is 
happening (causes/effects) before you can arrive at a solution. One of ordinary skill in 
the art would have been motivated to do what is claimed. Also not disclosed is the 
prioritizing actions that need to be taken and the developing of a scorecard to be used 
as a monitoring and reporting tool. With respect to the prioritizing of actions that need 
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to be taken, when one determines the reason why non-compliance is occurring and 
develops a proposed solution (actions that need to be taken), one of ordinary skill in the 
art at the time the invention was made would have been motivated to prioritize those 
actions that need to be taken so more effort can be spent on those actions that will 
provide more of a positive result, so that effort is not spent on actions that have a small 
effect on the problem. With respect to the development of a policy scorecard, one of 
ordinary skill in the art at the time the invention was made would have found it obvious 
to have some manner by which one could grade the efforts of management in 
compliance monitoring and in correcting any issues of non-compliance. This is 
interpreted to be the mere assessment or appraisal of the company in its efforts to 
ensure company compliance and in fixing the problems. Appraisals or reports on the 
performance of a company or a part of a company are nothing new (i.e. GAO reports of 
the Federal Government). 

With respect to claim 7, in addition to that disclosed above, not disclosed is 
ensuring that the actions are completed in a timely manner. One of ordinary skill in the 
art at the time the invention was made would have been motivated to ensure that any 
corrective actions that need to be taken are done in a timely manner, so that the 
identified non-compliance risks will not continue. Timely completion of taking action to 
correct the problems is something that one of ordinary skill in the art would clearly 
appreciate. 
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For claims 8,33,35,36,66,67, the questionnaire is a "question owners matrix". It 
is a matrix of questions to be answered. The use of a knowledge base is the use of the 
computer system and the stored data. That is a knowledge base. 

For claims 9,37, not disclosed is the use of a spreadsheet to compile the results. 
It is old and well known in the art that spreadsheets are used to process data and 
display data for anything one desires. One of ordinary skill in the art would have this 
fact in their knowledge. It would have been obvious to one of ordinary skill in the art at 
the time the invention was made to use a spreadsheet to display results data, because 
spreadsheets are well known as being a commonly used format to display data and is 
something that one of ordinary skill in the art would understand and appreciate. 

For claims 10,30,38, not disclosed specifically is the use of a program 
assessment summary and a policy assessment summary. Taking into consideration 
that the reason you are tracking compliance data is to ensure that you are in 
compliance with certain regulations or criteria and given that summary data is complied 
in Fetherston, it would have been obvious to one of ordinary skill in the art at the time 
the invention was made to present the upper members of management with a summary 
of how the "compliance program" is going by having a program assessment (is the 
program working and achieving real world results that justify the program's existence) 
and a policy summary, that summarizes what policies (i.e. training programs) are 
working or not working. One of ordinary skill in the art would have been motivated to 
summarize the results as claimed. 
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For claims 1 1 ,39, not disclosed is the mapping of a high level business risk 
model and a quality function deployment. With respect to the risk model, one of 
ordinary skill in the art would have found the use of a risk model (very broad language) 
as obvious, because this is the way that one would go about analyzing the risk to a 
company. You would construct a risk model, which can simply be a report of the 
possible risks and how they may affect the company. With respect to the quality 
function deployment, as this is best understood by the examiner, this is the use of a 
matrix to summarize the compliance requirements (from page 12 of the instant 
specification). The use of a matrix is old and well known in the art. One of ordinary skill 
in the art would have found the use of a matrix obvious because one of ordinary skill in 
the art would recognize that matrixes can be used to summarize any kind of data one 
desires. 

For claims 20,49, not disclosed is the identifying of the top 3-5 compliance 
requirements that have the highest risk. One of ordinary skill in the art would clearly be 
the most concerned with those compliance areas that have the greatest risk. This is 
just obvious common sense that one of ordinary skill in the art would recognize. With 
respect to determining the top 3-5 compliance requirements, one of ordinary skill in the 
art would find it obvious to not just focus on one compliance risk area, but to focus on a 
plurality of the top areas of concern. Depending on the number of compliance areas in 
need of attendance, one of ordinary skill in the art would have found it obvious to 
identify the top 3-5 compliance requirement that have the greatest risk to the business, 
so that those risks can be minimized. 
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For claims 22,53, not specifically disclosed is determining failure modes for each 
step in a process. In the rejection for claim 1 , the issue of determining failure modes 
and causes and effects was addressed. With respect to determining failure modes for 
each step in a process, one of ordinary skill in the art would have been motivated to do 
a complete failure mode analysis, which would involve looking at all steps of a process 
where failures could occur. One of ordinary skill in the art would be motivated to look at 
the entire process, not just one step, so that the analysis would be complete and as 
accurate as possible. With respect to brainstorming potential effects, this is part of the 
determination of the cause and effects that has been previously addressed. 
Brainstorming is just coming up with what the effects could be. 

For claims 25,55,56, not disclosed is the step of entering the recommended 
actions, an owner, and an expected date of completion into the matrix. The limitation of 
determining actions to be taken has already been addressed. With respect to the 
entering of these actions in addition to an owner and an expected completion date, one 
of ordinary skill in the art would have been motivated to track the recommended actions, 
who is responsible for ensuring they are followed through on, and when it is expected 
that they are going to be completed. This is information that one of ordinary skill in the 
art would have recognized as being important. If you take the time to formulate some 
actions that can be taken to minimize the risk to a company, you would also be 
motivated to track the progress of those actions and document who is responsible for 
ensuring that those actions are undertaken, along with dates of when it will be 
completed, so that the management personnel overseeing the implementation of these 
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actions will know what they are doing, who is doing it, and what the timeline is for the 
progress of those actions. One of ordinary skill in the art would have been motivated to 
do what is claimed. 

For claims 27, not disclosed is the monitoring the progress. When one is using 
the method of Fetherston to address compliance risks, one of ordinary skill in the art 
would have been motivated to revisit the issues at a later point in time to see whether or 
not the risk of non-compliance has gone down (monitoring the progress). 

For claims 28,58, with respect to the use of a policy scorecard, one of ordinary 
skill in the art at the time the invention was made would have found it obvious to have 
some manner by which one could grade the efforts of management in compliance 
monitoring and in correcting any issues of non-compliance. This limitation is interpreted 
to be the mere assessment or appraisal of the company in its efforts to ensure company 
compliance and in fixing the problems. Appraisals or reports (scorecards) on the 
performance of a company or a part of a company are nothing new (i.e. GAO reports of 
the Federal Government). 

For claims 60-62, the prior art is fully capable of operating as claimed. The 
server can receive information in any of the claimed manners. 

For claims 119-122, when one has recommended an action to be taken, as these 
claims require, one of ordinary skill in the art would clearly find it desirable to monitor 
the status of the recommended action (with updates) and one would naturally want to 
know if the action has completed or not. This is so that one can be assured that the 
action has been completed and when that has been done, one would naturally want to 
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reassess the level of risk now associated with that compliance risk, especially after 
some action has been taken to reduce that risk. Once a risk is identified and one 
determines that the risk needs to be lowered, one takes steps to do so, such as by 
implementing control measures as already addressed by the examiner. When one is 
trying to lower risk, they are interested in finding out whether or not the risk has actually 
been reduced by whatever action has been taken. To recalculate the risk associated 
with a compliance risk, after an action has been taken to hopefully reduce that risk is 
considered to be obvious. One of ordinary skill in the art at the time the invention was 
made would have found it obvious to recalculate the risk as claimed (the PRN) after an 
action has been taken (which is required by the claims). 

9. Applicant's arguments filed 6/9/08 have been fully considered but they are not 
persuasive. 

With respect to the traversal of the 101 rejection it is not persuasive. With 
respect to the arguments in the most recent response, applicant has essentially argued 
that the values are determined from information in a database so that renders it 
concrete. The disclosure states that the knowledge base includes information from 
compliance leaders and information relevant to each business and for each 
environment as well as standards for minimum program qualities and the level of 
documentation required for proof in answering questions. Just because this information 
is stored in a database does not mean that the invention is then concrete. The 
disclosure indicates that the severity rating is generated using stored information in the 
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knowledge base, where the stored information is determined by a compliance expert (a 
human being). Applicant is arguing that the invention is concrete even though the 
information used by a person to assign a severity rating is also determined by a person. 
Human determined data is used by another human to arrive at further human data, both 
of which are subjective in nature and depend on the person who is deciding what the 
data should be. This does not result in concreteness under 35 USC 101. Also, 
applicant has argued that if a business reputation is damaged, the severity rating is 
high, versus when the reputation is only impacted regionally, the severity rating is low. 
The examiner notes that the equation that uses the severity rating does not work with 
high and low because it is a numerical equation that requires numbers not words. 
There is no guidance on what is meant by a reputation being damaged versus a 
company impact (totally unclear what this means) versus a regional impact. If the 
severity rating is high, what number does one use to calculate the QFD? Using "high" 
or "low" in the QFD equation will not work. With respect to the fact that the disclosure 
states that the process strength rating can be accomplished by any known rating 
system, this means that somebody can make up their own rating system and it will just 
work fine with applicant's invention? This is such a general and vague disclosure that it 
cannot be found to be sufficient guidance to allow one to arrive at the same result, 
especially when two people are using totally different rating systems. With respect to 
the disclosure of choosing values from 1 to 10, how can one go about and figure out 
whether or not a value of 2 is appropriate versus a 3 or possibly a 4? What are the 
values between one (remote chance) and ten (assured) supposed to have as far as 
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meaning goes? What if there is a reasonable chance? Is this a 6 or a 7 or maybe an 
8? This decision will necessarily affect the end result of the method. There is 
insufficient guidance given in the specification and in the opinion of the examiner, this 
process is not concrete as is required by 35 USC 101 . The disclosure also indicates in 
paragraph 81 that the rating factors are assigned based on a standard rating system. 
What is that standard rating system? The applicant has not disclosed what it is so how 
can somebody repeat the result, especially when they try to use their own rating system 
that the instant applicant may not even know about. The fact that people use 
information from a database (where that stored information is also decided upon by 
people) and then use an unknown and undisclosed rating system for certain variables 
means that the same result cannot be arrived at by two given people because all of the 
information is determined by people and is simply subjective in nature. The arguments 
are not persuasive. The examiner also wants to repeat the rebuttal from the last 
response because it also sets forth the position of the examiner and is relevant to the 
presented arguments. In the RCE non-final rejection the examiner stated: 

"With respect to the traversal of the 35 USC 101 rejection it is not persuasive. 
Applicant has argued that an experienced risk assessor would be able to figure out how 
to value the detection rating, severity rating, and process strength rating . At the outset 
the examiner notes that applicant has not introduced any kind of evidence from an 
experienced risk assessor, and notes that there is no evidence of record that shows that 
applicant's counsel is an experienced risk assessor. It is also not clear what an 
"experienced risk assessor" means. The portions of the specification cited by applicant 
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in support of their arguments clearly state things such as "the risks are analyzed by the 
team", and "the effect of each failure mode is determined by the team, who then try to 
identify the potential causes". Human beings and their subjective thoughts, opinions, 
and decisions come into play during the process of determining the detection rating, 
severity rating, and process strength rating. Applicant has referred to the specification 
where it is taught that "the standard rating system includes values from one to ten" and 
that the ratings are using this kind of a system. The decision as to what value each of 
the various ratings is supposed to have is to be decided by human beings and is a 
subjective analysis that is not concrete. It is disclosed that a value of one means "a 
remote likelihood of occurrence" and a value of ten means "failure is assured". The 
issue of "remote likelihood" and "assured" is itself very subjective and depends on what 
one person feels satisfies "remote" and "assured". There is no guarantee that any two 
or more people will naturally agree on the same definition for these broad terms. There 
is no showing or reason to conclude that this decision is such that there is substantial 
repeatability in that two given people or teams of people will arrive at substantially the 
same solution. This is especially true because this method could be used for any kind 
of business and with totally different kinds of possible risks that need to be valued. 
There is no qualitative manner by which this number is arrived at because it is left up to 
human beings and their opinions and judgments to decide what values the ratings are to 
have. How can one go about and figure out whether or not a value of 2 is appropriate 
versus a 3 or possibly a 4? What are the values between one (remote chance) and ten 
(assured) supposed to have as far as meaning goes? What if there is a reasonable 
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chance? Is this a 6 or a 7 or maybe an 8? This decision will necessarily affect the end 
result of the method. There is insufficient guidance given in the specification and in the 
opinion of the examiner, this process is not concrete as is required by 35 USC 101. The 
same is true for the other ratings at issue. The fact that the detection rating, severity 
rating, and process strength rating are given values by human beings, and given that 
this will necessarily depend on the opinions and judgments of humans as to what 
constitutes a "remote" chance or "assured" chance, the examiner has concluded that 
the claims do not comply with 35 USC 101 and are not directed to an invention that is 
considered to be concrete . Because humans are involved and the human mind is 
subjectively deciding what values these ratings are to have, the result is not 
substantially repeatable to an extent that the same result can be produced as is 
required by 35 USC 101. With respect to the QFD score, which is determined by a 
mathematical equation that uses the human decided values for the detection rating, 
severity rating, and process strength rating, this is also not substantially repeatable to 
an extent that the same result can be produced as is required by 35 USC 101. The 
rejection is being maintained. Applicant's arguments for the QFD score are the same 
as for the detection rating, severity rating, and process strength rating. " 

With respect to the 1 1 2,1 st rejection and claims 1 ,31 ,63,76, the arguments are 
not persuasive. Applicant has essentially argued the same points as were argued for 
the 101 rejection. The applicant has argued that the applicant describes the detection 
rating as being based on a standard or known rating system, but has failed to disclose 
what the rating system actually is. How can anyone perform the invention as claimed 
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when they have no idea what kind of rating system to use? This disclosure is just so 
vague and non-specific that one of skill in the art could not possibly make and use the 
invention as claimed without undue experimentation. The examiner even feels that this 
disclosure means that a person skilled in the art will have to invent their own rating 
system and make it work with the instant invention because the applicant failed to 
disclose how they are specifically structuring their rating system. The vague disclosure 
to a knowledge base containing information relevant for a business is not any kind of 
guidance that allows a person skilled in the art to make and use the invention as 
claimed. 

With respect to claim 31 and the issue of how one would go about programming 
a server to do what is claimed the argument is not persuasive. Applicant has now 
argued that the server is the one prioritizing the risks and not people, which seems to 
directly contradict the previous traversal and the specification itself. Paragraph 68 
specifically discloses that" 

"In addition, risks are prioritized. Resources used to prioritize 
risk may include functional leaders, compliance leaders, compliance experts, 
policy owners, a management team, and legal counsel . Risk prioritization is used to 
assess the compliance risk, relating the risk to processes, products and environments 
and identifying and prioritizing the highest risk(s). Prioritization of the risk(s) is 
performed by mapping a high-level risk model and compiling a list of compliance 
requirements. Next, the list of compliance requirements is prioritized and 
construction of a quality function deployment (QFD) matrix is started using system 
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10. A severity rating for non-compliance with the requirements is entered by a 
designee of the resource team listed above, and the compliance policies are 
assessed and valuated. Finally, the immediate risks are identified, construction of the 
QFD matrix is completed and the compliance risk areas are prioritized." 

There is no support for arguing that the server is the one doing what is claimed. 
It is clearly disclosed as being done by people and paragraph 68 states as much. 
Paragraph 68 never mentions anything about the server doing what is claimed. This is 
why the examiner feels that the invention is not enabled, because people do most of the 
claimed steps. 

With respect to claims 32,33,35,36, the argument is not persuasive. The 
information from the knowledge base may be used by people to assemble a team, but 
that does not mean that it is known how to program the server to replace a human being 
and their minds. The statement that a server may be programmed by one of skill in the 
art it taken as a mere allegation that this can be done. If it can be done then how is it 
done? Applicant has argued that this is enabled but the answer to the question of "how" 
has not been addressed. How can a server assemble a team as claimed when the 
instant specification discloses that this is done by people? 

With respect to claim 34, the applicant has argued that a server can be 
programmed to create a questionnaire, but the applicant has filed to explain to the 
examiner how this would be done. If it is enabled then why is there not a disclosure of 
how it is done so that the examiner can understand the steps involved? The 
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questionnaire is created by people and cannot be created by a server without undue 
experimentation. The argument is not persuasive. 

For claims 39-42, and 43-56,58,60-62, applicant's traversal is nothing more than 
a general allegation of enablement. There is simply no explanation as to how one 
would go about and program a server to do what is claimed. As stated previously, just 
because the knowledge base contains information does not mean that the server can 
be programmed to do what is claimed without undue experimentation. The argument is 
not persuasive. If applicant knows how to do this then why not explain it? How is the 
server programmed to replace the human mind for the recited steps? 

The examiner notes that claims 63-89 were not addressed or traversed. 

With respect to the prior art rejection the arguments are not persuasive. 
Applicant has argued that the prior art does not disclose storing in the database 
informing including persons responsible for compliance within each functional area. In 
response the examiner takes the position that identifying the department also identifies 
the persons responsible for compliance (i.e. the employees in that department). See 
figure 4 where it is disclosed that one of the data entries is the "Department". 
Applicant's argument is not persuasive. With respect to the RPN and the newly added 
limitation regarding the occurrence rating, this has been addressed in the rejection of 
record, which the applicant is referred to. The examiner has addressed the newly 
added limitations in the current rejection of record. 
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10. THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time 
policy as set forth in 37 CFR 1 .136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within 
TWO MONTHS of the mailing date of this final action and the advisory action is not 
mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1 .136(a) will be calculated from the mailing date of 
the advisory action. In no event, however, will the statutory period for reply expire later 
than SIX MONTHS from the mailing date of this final action. 

1 1 . Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Dennis Ruhl whose telephone number is 571-272-6808. 
The examiner can normally be reached on Monday through Friday. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Janice Mooneyham can be reached on 571-272-6805. The fax phone 
number for the organization where this application or proceeding is assigned is 571- 
273-8300. 
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Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 



/Dennis Ruhl/ 

Primary Examiner, Art Unit 3689 



